Hi Ted, When running as non-root, note that cf-serverd uses ~/.cfagent as its working directory. This means it does not share workdir with the rest of the Cfengine components.
One thing you might want to consider in particular is the lastseen report. cf-serverd creates a dbm-database of incoming connections, which might not be shared with the other components. This would for example affect the hostssen() function: http://www.cfengine.org/manuals/cf3-reference.html#Function-hostsseen It would become less useful for the agent. So it depends on your policy I guess, but you should expect to spend more time if you decide to run cf-serverd as non-root. Personally, I would think it's more effort than it's worth, but that's just me.. -- Regards, Eystein 2011/3/15 Ted Zlatanov <t...@lifelogs.com>: > On Mon, 14 Mar 2011 19:16:48 +0100 (CET) neilhwatson wrote: > > n> Are you proposing that the agent with root privilege should fetch > n> files from the server running as non-root? I'm having trouble > n> visualizing your architecture. I appreciate the effort run at least > n> privilege but, are there any clear risks that justify this extra > n> effort? > > This is a very common requirement and one of the reasons we don't run > cf-serverd here. If a process has no need to run as root, it shouldn't. > > Ted > _______________________________________________ > Help-cfengine mailing list > Help-cfengine@cfengine.org > https://cfengine.org/mailman/listinfo/help-cfengine > _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
